User authentication example in a single-user, embedded environment

In this example, Derby is
embedded in a single-user application that is deployed in a number of different
and potentially insecure ways. For that reason, the application developer
has decided to encrypt the database and to turn on user authentication using Derby's built-in user authentication,
which will not require connections to an LDAP server. The end-user must know
the bootPassword to boot the database and the user name and password
to connect to the database. Even if the database ended up in an e-mail, only
the intended recipient would be able to access data in the database. The application
developer has decided not to use any user authorization features, since each
database will accept only a single user. In that situation, the default full-access
connection mode is acceptable.

When creating the database, the application developer encrypts
the database by using the following connection URL:

Before deploying the database, the application developer turns
on user authentication, sets the authentication provider to BUILTIN, creates
a single user and password, and disallows system-wide properties to protect
the database-wide security property settings:

When the user connects (and boots) the database, the user has
to provide the bootPassword, the user name, and the password. The following
example shows how to provide those in a connection URL, although the application
programmer would probably provide GUI windows to allow the end user to type
those in: